Creating Digitally Signed Content
Providing reliable content to end users is an important part of app development, especially considering apps that have paid features or other elements that depend on trusted information. This article provides detailed instructions for creating secure, digitally signed content and testing its validity.
A Real World Example
Mary, app developer for Contrary, Inc., has been told to create an app that will run as a demo until the end user pays for a license. Once a license it obtained, and installed, the app should run without any restrictions. Mary decides the best way to know whether or not a license is valid is to digitally sign it, transfer it to the end user's machine, and use her app to verify that the signed content is valid. If it is, the app will run unrestricted. If the license is not valid, the app will continue to run as a demo.
Mary begins by creating her own digital certificate using various Microsoft digital certificate utilities. She then uses the Window-Eyes app WESign, along with her digital certificate, to create an install-able package of signed content that contains the end user's Window-Eyes serial number, tying the license to that specific copy of Window-Eyes. Mary then provides the content package to the end user, and the end user installs the package on the machine with the matching Window-Eyes serial number. The next time Mary's app runs, it will locate the signed content, and verify that the content's signature matches the signature that Mary originally used to sign the content. Once the content is verified, Mary's app will run fully licensed rather than as a demo, and the end user will be able enjoy the new features that they paid for.
Your Own Digital Certificate
Digital signatures are often used to offer assurance that content came from a known source, and that it has not been tampered with. A digital signature can be verified by a certificate authority or can be self-signed.
For the purposes of signing content specifically for app use, having a digital signature verified by a CA is unnecessary. After all, the communication path will be between the developer and the app, and will not involve any other party.
All of the tools necessary to create a self-signed certificate are available through the Microsoft Windows SDK. There are three specific, command line utilities that can be used to create a Personal Information Exchange (PFX) Certificate:
- makecert
- cert2spc
- pvk2pfx
Begin by useing makecert to create a standard X.509 certificate. In addition, a private key file (PVK) will also be created:
makecert -r -pe -n "CN=My Name" -sv mycert.pvk mycert.cer
Replace My Name with your own name, or a name you want to associate with your digital certificate. When prompted, enter a unique password for the certificate. You will need to retain this password for future use.
After your certificate and private key files have been created, you will need to create a Software Publisher's Certificate (SPC) using the cert2spc utility:
cert2spc mycert.cer mycert.spc
The SPC file is the public key for your digital certificate. You then need to combine the private key with the public key to create a Personal Information Exchange (PFX) file:
pvk2pfx -pvk mycert.pvk -spc mycert.spc -pfx mycert.pfx
When prompted, enter the password used to create your original certificate. The resulting PFX file will be used by the WESign app to sign content for distribution. Be sure to store all of the resulting files (PVK, CER, SPC, and PFX), along with the password used to create the certificate, in a safe and secure place. DO NOT DISTRIBUTE THESE FILES! Digital certificate files are used to digitally sign content, but should not be publicly accessible at the risk of having your content compromised.
